*11:24* [Job][New]
Ph.D. studentships, *Royal Holloway, University of London, UK*
The Information Security Group (ISG) at Royal Holloway, University of London is looking for outstanding young graduates to fill **10 well-funded doctoral studentships in Cyber Security** starting in October 2013.

The ISG is one of the largest and longest-established academic research groups working in cyber security, with a community of 15 academic staff, 10 postdocs and 40 PhD students. The ISG has a wide range of research interests related to cyber security, including the basic components of security services, such as cryptographic algorithms and trusted hardware; management of cryptographic keys; the correctness of the design and implementation of security protocols; the design of security services for embedded systems, business information systems, telecommunications networks and critical infrastructure; the detection and analysis of malware; and the study of economics, psychology, organizational theory, design theory and sociology in the context of information and cyber security.

We will consider applications from candidates with undergraduate and master\\\'s qualifications in a wide range of disciplines, including, but not limited to, mathematics, computer science, and electrical and electronic engineering. Funding is provided by the EPSRC (the UK Engineering and Physical Sciences Research Council), so full studentships are available to UK residents only (see http://www.epsrc.ac.uk/skills/students/help/Pages/eligibility.aspx for further details).

Further details of the research interests of the ISG can be found at http://www.isg.rhul.ac.uk/bin/staff-dir.php. Informal enquiries about the studentships can be made to Dr Carlos Cid, Prof. Jason Crampton, Prof. Keith Martin or Prof. Kenny Paterson ({carlos.cid,jason.crampton,keith.martin,kenny.paterson}@rhul.ac.uk). Further information about applying for the PhD programme at Royal Holloway is available at http://www.rhul.ac.uk/studyhere/research

*06:17* [Pub][ePrint]
Key Wrapping with a Fixed Permutation, by Dmitry Khovratovich
We present an efficient key wrapping scheme that uses a single wide permutation and does not rely on block ciphers. The scheme is capable of wrapping keys up to 1400 bits long and processing arbitrarily long headers. Our scheme easily delivers the security level of 128 bits or higher with the master key of the same length. The permutation can be taken from the sponge hash functions such as SHA-3 (Keccak), Quark, Photon, Spongent.We also present a simple proof of security within the concept of Deterministic Authenticated Encryption (DAE) introduced by Rogaway and

Shrimpton. We extend the setting by allowing the adversary to query the permutation and following the indifferentiability setting in the security proof of the sponge construction.

*00:17* [Pub][ePrint]
Rethinking Definitions of Security for Session Key Agreement, by Wesley George and Charles Rackoff
We consider session key agreement (SKA) protocols operating in a public key infrastructure, with pre-specified peers, that take no session ID as input, and output only a session key. Despite much work on SKA, we argue that there is no good definition of security for this (very natural) protocol syntax. The difficulty is that in this setting the adversary may not be able to tell which processes share a key, and thus which session keys may be revealed without trivializing the security condition.We consider security against adversaries that control all network traffic, can register arbitrary public keys, and can retrieve session keys. We do not attempt to mitigate damage from hardware failures, such as session-state compromise, as we aim to improve our understanding of this simpler setting. We give two natural but substantially different game based definitions of security and prove that they are equivalent. Such proofs are rare for SKA. The bulk of this proof consists of showing that, for secure protocols, only compatible processes can be made to share a key. This property is very natural but surprisingly subtle. For comparison, we give a version of our definition in which processes output session IDs and we give strong theorems relating these two types of definitions.

*00:17* [Pub][ePrint]
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures, by Marc Fischlin and Nils Fleischhacker
We revisit the security of Fiat-Shamir signatures in the non-programmable random oracle model. The well-known proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to re-program the random oracle, and it has been unknown if this property is inherent. Pailler and Vergnaud (Asiacrypt 2005) gave some first evidence of the hardness by showing via meta-reduction techniques that algebraic reductions cannot succeed in reducing key-only attacks against unforgeability to the discrete-log assumptions. We also use meta-reductions to show that the security of Schnorr signatures cannot be proven equivalent to the discrete logarithm problem without programming the random oracle. Our result also holds under the one-more discrete logarithm assumption but applies to a large class of reductions, we call *single-instance* reductions, subsuming those used in previous proofs of security in the (programmable) random oracle model. In contrast to algebraic reductions, our class allows arbitrary operations, but can only invoke a single resettable adversary instance, making our class incomparable to algebraic reductions.Our main result, however, is about meta-reductions and the question if this technique can be used to further strengthen the separations above. Our answer is negative. We present, to the best of our knowledge for the first time, limitations of the meta-reduction technique in the sense that finding a meta-reduction for general reductions is most likely infeasible. In fact, we prove that finding a meta-reduction against a potential reduction is equivalent to finding a ``meta-meta-reduction\'\' against the strong existential unforgeability of the signature scheme. This means that the existence of a meta-reduction implies that the scheme must be insecure (against a slightly stronger attack) in the first place.

*09:54* [Job][New]
PhD students and Postdocs in Symmetric Crypto, *DTU, Copenhagen, Denmark*
The cryptology section at the department of applied mathematics and computer science at the Technical University of Denmark (DTU Compute) is looking for up to two Post-Docs and two Ph.D. students in the area of symmetric cryptology.For more information please contact Christian Rechberger (crec (at) dtu.dk).